This post is part of a series. The chapter index is located here.
In this lab we will configure the firs AD management agent and set up run profiles.
Creating the first AD MA
Most MIM installation are made to handle a single forest, or maybe even a single active directory domain. As mentioned in the index, I am planning a multi-forest lab. Each forest needs its own AD management agent, and in this chapter we configure it.
Create a service account in the target domain/forest
Create an account called MIMADSync and make it a member of domain administrators. This account is for the AD MA.
Start the wizard
Start by opening the Synchronization Service Manager and click Management Agents, then Create. Select Active Directory Domain Services as the type of MA:
I have named it “AD MIM.local”, but the name is not important.
Connect to the AD Forest
- Forest name: mim.local
- User name: MIMADSync
- Domain: MIM
- Options: Enable Sign and Encrypt LDAP Traffic
Configure AD Partitions
- Select the MIM.local partition.
- Select the MIM OU as the container. This limits MIMs sphere of influence in AD.
Configure provisioning hierarchy
- Accept defaults.
Select object types
- Add group
- Add User
Select attributes
- Check “Show All” to list all attributes.
- Select the following attributes:
- company
- displayName
- employeeID
- employeeType
- givenName
- groupType
- managedBy
- manager
- member
- objectSid
- sAMAccountName
- sAMAccountType
- sn
- unicodePwd
- userAccountControl
Complete the wizard
Accept default for the remaining pages.
Create Run Profiles
Run Profiles are managed in the “Configure Run Profiles” dialog in Synchronization Service Manager. For this setup, we will just give them a name and select a step type. There are a lot of other options to play with if you whish, or you can just accept the defaults for now.
You begin with giving it a name. You can choose any name you want, but it is easier if you use one that reflects what the profile does.
The next page lets you select a step-type. Run profiles can have multiple steps.
Create run profiles according to the table below for BOTH management agents.
Name | Type |
Full Import |
Full Import (Stage Only) |
Full Sync |
Full Synchronization |
Delta import |
Delta import |
Delta Sync |
Delta Synchronization |
Export | Export |
Configure the MIM Service
Now it is time to create the AD user inbound sync rule in the portal. Got to the Administration part of the portal and select Sync Rules:
- Create a new rule by clicking New.
- Supply a display name. I named it “MIM.local user inbound sync”.
- Select Inbound data flow and move to the Scope page.
- Metaverse resource type: Person
- External System: AD MIM.local (the name of the AD management agent)
- External system resource type: user
- Move to the Relationship page
- Use objectSID as the relationship criteria.
- Enable “Create resource in MIM”
- Move to the Inbound Attribute Flow page.
- Define flow rules according to the following table:
Source | Destination |
samAccountName | accountName |
displayName | displayName |
EmployeeType | employeeType |
givenName | firstName |
sn | lastName |
Manager | manager |
objectSID | ObjectSID |
“MIM” | domain |
Note that we flow a constant string to the domain attribute.
Click Finish and then Submit to complete the wizard.
The end of MIM LAB 6
This post is part of a series, and the chapter index is located here.
In the next chapter, we will test the run profiles and enable provisioning.
One thought on “MIM LAB6: The AD MA and Run profiles”